Analysis
-
max time kernel
57s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
10-09-2024 22:03
General
-
Target
d91d3dba1e492cdc999cd2f7d8a22c2e_JaffaCakes118.exe
-
Size
1.8MB
-
MD5
d91d3dba1e492cdc999cd2f7d8a22c2e
-
SHA1
d4b46c959754f8f00e136783429455feb434e373
-
SHA256
497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191
-
SHA512
44b4fd513551176f7890bc3f6c4009087ada59f22594ab69807ef88e86d1e22aab498da30c160eb8aebdf21b11f2dd9c69ae8259b5da4489bd73e0f373607fdd
-
SSDEEP
49152:p1PIEUo4HUzX3NZIYAaNtMMSmtS5Mu2AukpycABfB71cx:/hUnsQYAaNtnzS5/2xcAJhY
Malware Config
Extracted
lokibot
http://idp.vn/wp-includes/js/crop/Panel/five/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
AdWind
A Java-based RAT family operated as malware-as-a-service.
-
Class file contains resources related to AdWind 2 IoCs
-
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
-
Modifies firewall policy service 3 TTPs 9 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 3 IoCs
-
Windows security bypass 2 TTPs 18 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 17 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 19 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 21 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 8 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\d91d3dba1e492cdc999cd2f7d8a22c2e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d91d3dba1e492cdc999cd2f7d8a22c2e_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Windows\system32\server.jar"3⤵
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Windows\system32\server1.jar"3⤵
-
-
C:\Windows\SysWOW64\build.exe"C:\Windows\system32\build.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Accesses Microsoft Outlook profiles
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\buildmgr.exeC:\Windows\SysWOW64\buildmgr.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Windows\system32\server.jar"4⤵
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Windows\system32\server1.jar"4⤵
-
-
C:\Windows\SysWOW64\build.exe"C:\Windows\system32\build.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\buildmgr.exeC:\Windows\SysWOW64\buildmgr.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe "4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Accesses Microsoft Outlook profiles
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Roaming\svchostmgr.exeC:\Users\Admin\AppData\Roaming\svchostmgr.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 1766⤵
- Program crash
-
-
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4B
MD56e5991ad90048a48f15753189db599f6
SHA140b28a210d8579ea0b49c1c79351ff45db5f1e01
SHA25657151d64d3b54250d35016c2146be081d2692976edc824233d5556b973ff80d7
SHA5124347af77f90c2ca1ea4a66acc7d4005322fbe41f719c8edbe3a4dfc4188912c0f550da155ed2637ad060960ea2f45dee15f1e341c05c702995f040a09ceada87
-
Filesize
46B
MD5d898504a722bff1524134c6ab6a5eaa5
SHA1e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA51226a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61
-
Filesize
46B
MD5c07225d4e7d01d31042965f048728a0a
SHA169d70b340fd9f44c89adb9a2278df84faa9906b7
SHA2568c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA51223d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b
-
Filesize
257B
MD5cc66fd00fe50872041a3c63191c69f3f
SHA19cfa23356d4c9a177fb656601abc42330f802ead
SHA256ccdea6ea375048418d6e8b3e270ce0028100723bebf70aee1468b24fb95e09b9
SHA51293e6fe93d897036a96a3a38f75742b6fe1d786fd6dd5654acc3d175c22ac16d93fbd7aa4ecadbf32355ed034566d26135deb6b6513be353e94c56f601567b990
-
Filesize
473KB
MD5e5cd3dde85d18f58adf2baaa660c6728
SHA1656ecf0740dcf0792f58c0d2948b1d721efdcd99
SHA256ec8522c41c9bbd8e7625a62c0ae9c98cbe130d396a65ba70316e98deb988fbcb
SHA512d83fa91d3f8595fd6ed467a43f8d1a373942f39c144000e735babb8f7cc6c9972b8944cce56fa04e48f9cb0c60562be3dd79ec14a52aad840a3c7123f606bb6e
-
Filesize
473KB
MD55fb36a3af54997d4b665deda56c06894
SHA180f8db18da9ec369acba09449c48a6daba2fbf96
SHA256fb270bd422f667d3e4317132a2ae2805bde6e7154be681a12648b2ddd824639f
SHA512cae2f1db1aa5f83d9971ba9aadd32f1cdf33f9b79e6f480b3727cf3dfe3956f670b46559c554c1529a627f557a951edcbb2b4a6bca5b2d40c9021d12f4b7e38a
-
Filesize
100KB
MD513906680c25ddeaadd10e3eb3d3f5eca
SHA1de19abfa8b247378d3f92dc4b25c991cdb593cfb
SHA2560006aa3e85bab7c9b1231e823fad6adae18363a350c6ef9a8d0f42607933688f
SHA512bb1b53753ef55bc531ad0f2fafa96d1b05d5fdefc96df7aaddc3de78472968fd6c5b3cda1cc3e6b9b744aa8123b48b8004222e1c7706379e55bfe5ab03602e0f
-
Filesize
1.2MB
MD5d124f55b9393c976963407dff51ffa79
SHA12c7bbedd79791bfb866898c85b504186db610b5d
SHA256ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06
-
Filesize
1.1MB
MD59b98d47916ead4f69ef51b56b0c2323c
SHA1290a80b4ded0efc0fd00816f373fcea81a521330
SHA25696e0ae104c9662d0d20fdf59844c2d18334e5847b6c4fc7f8ce4b3b87f39887b
SHA51268b67021f228d8d71df4deb0b6388558b2f935a6aa466a12199cd37ada47ee588ea407b278d190d3a498b0ef3f5f1a2573a469b7ea5561ab2e7055c45565fe94
-
Filesize
1.8MB
MD5d91d3dba1e492cdc999cd2f7d8a22c2e
SHA1d4b46c959754f8f00e136783429455feb434e373
SHA256497fa678528f8dc7dfaebe76f73061581f621d5eb2ed06e0c8b937a9131e9191
SHA51244b4fd513551176f7890bc3f6c4009087ada59f22594ab69807ef88e86d1e22aab498da30c160eb8aebdf21b11f2dd9c69ae8259b5da4489bd73e0f373607fdd
-
Filesize
284KB
MD5893388d890e5d46cb68616529088b6e3
SHA16a8bfe9901157ae9e1a589c868f15ea1f7c060ac
SHA256bb7182eb5c655dc0a27d495b63c34805c23065234cec48d672fd86272c9df6c8
SHA512e38c2163d9ef295d201566dfd4a4b31d93ca263c203ca2d75ad91aebdf0945253112198aae50b9b433470b11e60aa5c20428472472e641c1350bed474de6c24d
-
Filesize
106KB
MD5fe36fb1073e6f8fa14d7250501a29aaf
SHA16c7e01278362797dabcff3e666b68227cb9af10f
SHA256f34e5af97ccb3574f7d5343246138daf979bfd1f9c37590e9a41f6420ddb3bb6
SHA5128584c008c5780352f634c37b7f46543a26280b57577b675f6e72185bfc1d95f771d210d799d704eceaba509ebfd2796fb43829495d5b2a568c741ad2d44f882f
-
Filesize
8KB
-
Filesize
832KB
-
Filesize
832KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
4KB
-
Filesize
832KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
8KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
832KB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
16.6MB
-
Filesize
832KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
8KB